NAT translation help

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

NAT translation help

L1 Bithead

For the life of me I can't figure out something that should be simple. I'm having a problem with a nat translation setup. Here is the requirement:

 

I have various computers/devices on several IP addresses and different subinterfaces, for example:

 

Device 1:

IP address: 10.47.5.21

Subinterface: Ethernet1/1.5

Zone: Control_NET

Device 2:

IP address: 10.47.20.50
Subinterface: Ethernet1/1.20

Zone: Server_NET

 

I need to NAT these devices to another range, in this example, to 172.221.16.32/28 range. So it should go like this:

 

10.47.5.21 <-> 172.221.16.32

10.47.20.50 <-> 172.221.16.42

...

 

The reason for this is I have a customer that has a site-to-site VPN connection and will only be looking at the 172.221.16.32/28 range. What sort of NAT translation do I need to do? I've tried the following and it's not working:

 

NAT Rule.png

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

Do you have corresponding security policies to allow the traffic? The logs should show if/why the traffic is getting blocked. This is just the NAT part of it. Also check routing?

 

Just some thoughts.

I believe so. I have an allow policy with Control_Net and Server_Net as the source zone and the VPN as the destination zone, and a corrisponding allow policy with the VPN as the source zone and Control_Net and Server_Net as the destination zone. I'm not sure if this is the right way as the Control_Net zone is for the 10.47.5.0/24 addresses and the Server_Net zone is for 10.47.20.0/24 addresses. Where do I place a security policy that allows traffic to/from the NAT range of 172.16.221.32/28? Do I need to devine a zone for the NAT range, and if so, how do I go about it?

 

 

What I am trying to do is replicate the following rules that are currently in an old Cisco 2901 router that I am replacing with the PA-220:
 
ip nat inside source static 10.47.5.22 172.16.221.33 route-map 2EDF
ip nat inside source static 10.47.5.21 172.16.221.34 route-map 2EDF
ip nat inside source static 10.47.28.100 172.16.221.35 route-map 2EDF
ip nat inside source static 10.47.20.22 172.16.221.36 route-map 2EDF
ip nat inside source static 10.47.20.5 172.16.221.37 route-map 2EDF
ip nat inside source static 10.47.20.11 172.16.221.38 route-map 2EDF
ip nat inside source static 10.47.20.12 172.16.221.39 route-map 2EDF
ip nat inside source static 10.47.20.26 172.16.221.40 route-map 2EDF
ip nat inside source static 10.47.20.27 172.16.221.41 route-map 2EDF
ip nat inside source static 10.47.20.50 172.16.221.42 route-map 2EDF
ip nat inside source static 10.47.20.51 172.16.221.43 route-map 2EDF
!
!
access-list 101 permit ip 172.16.221.32 0.0.0.15 172.16.200.0 0.0.0.255
access-list 101 permit ip 172.16.221.32 0.0.0.15 172.16.202.0 0.0.0.255
access-list 101 permit ip 172.16.221.32 0.0.0.15 172.16.207.0 0.0.0.255
access-list 101 permit ip 172.16.221.32 0.0.0.15 172.16.208.0 0.0.0.255
access-list 105 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
!
route-map 2EDF permit 10
 match ip address 105
 
I've tried about every combination of NAT rule, Zone config, Security Policy, and virtual router static route that I can think of and I cannot figure it out. With the above rules on the old router, I can ping from, say, a server at 10.47.20.50 to the natted IP of another server on the local network such as 172.16.221.43 (that is mapped to 10.47.20.51). I can't for the life of me get this to work on the PA-220. Also, the other end of the VPN can ping from one of their subnets to the 172.16.221.32/28 range successfully when the VPN is active on the old CIsco router.
  • 2054 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!